Script Control Test Drive – Quick Start

Overview

Welcome to the Test Drive for Instart Script Control, the best way to protect against web skimming attacks on your websites. We have prepared your accounts with a small amount of synthetic traffic and data so you can safely and easily get hands-on experience with our service in the context of your own website. A Test Drive configuration has been set up that mirrors a production configuration, but is only used to enable your testing.

We recommend you take the following three steps:

Step 1: Explore Script Control Analytics: Log in to the account we've set up for you. Explore the analytics available within our offering that show you the frequency of read and write requests from various scripts. With our offering you can see a time series analysis with filters that help you see how your site info is being accessed by the scripts on our site. We encourage you to try different filters to drill in and see the true power of our analytics.

Step 2: Evaluate form field protection: Evaluate form field protection by actually observing third-party code logging keystrokes in some form fields – and also being prevented from doing so by our form protection rule – using a sandboxed Chrome browser extension. This will give you a clear demonstration of possible threats that might exist on your website and how our service can protect against them.

Note: In no way does the Instart Script Control Test Drive affect your website or use any real data from your actual users during steps 1 and 2.

Step 3: Trial with real data: Trial Instart Script Control on your site with real traffic by easily adding a tag to your page.

Your Test Drive account has been pre-configured with some form field and cookie access rules. Most of the rules are configured in Monitor mode, which provides intelligence on which scripts are accessing your form fields and cookies. With the tag installed on your site, you will be able to see the actual behavior of your tags in production in the Analytics screen. You will have the ability to change any of these rules from Monitor to Deny mode to prevent access for any of your form fields or cookies.

Step 1: Explore Script Control Analytics

After logging in with the credentials we provided, click Script Control > Analytics to see the Analytics screen:

The Analytics screen displays a time series graph showing the frequency of various read and write events by scripts on all your form fields and cookies. For real-world traffic, the pattern should generally match your traffic pattern on the website. It gives you a birds-eye view on your scripts accessing different elements on your website. But, it also gives you the ability to go deeper into any script or action to diagnose any anomalies that you may observe.

In addition, you get a table view for all your scripts and the access they are trying to perform. By changing the filters, you can change your views and have full analytics and control over possible web skimming attacks that may be taking place.

In addition, by setting the access control rules in the Rules section to Deny mode, you can prevent any web skimming attacks easily.

Notice that scripts from a number of domains and reading and writing from form fields and cookies. This is normal behavior, but you need to be aware of how these scripts are interacting with your site to protect your users’ personally identifiable information (PII).

Next, click Script Control > Rules to see the list of rules that have been defined. Click one of the items in the list to see the makeup of the rule—some specified conditions and an action that will be taken if the conditions are satisfied.

We’ve created an initial rule that protects some sensitive form fields on your site. The rule denies write and read access to these form fields for our third-party script named instartlogic.github.io (used by the Chrome extension described below). This is the core of a Zero Trust script control strategy—denying scripts access to form fields and cookies by default.

For more detail, see Instart Script Test Drive Guide.

Step 2: Evaluate form field protection

In order to show you a third-party script trying to exfiltrate data entered into form fields, we have provided a Chrome extension called Instart Test Drive – Form Protection which injects a Magecart-type script, performing a dummy web skimming attack into your browser and displaying your keystrokes.

Note: This script injection occurs only locally in each tester’s browser and so in no way compromises your actual website and production traffic.

Download and install the Instart Test Drive – Form Protection Chrome extension from here, then perform the following steps to see the extension in action:

  1. The extension has two controls: Insert Form Protection enables the Instart client code, and Insert Malicious Script. Enable both.

  2. Navigate to the page on your site that has the form to test.

  3. Type some text in the form fields. The test rule that we've configured has some of these fields protected in Deny mode. Observe the extension logging your keystrokes in the unprotected fields, and notice that it cannot do this in the protected fields.

Similar attacks can take place in your website if any of the scripts on your page were compromised, including the ones coming from third parties. By putting the access control rules in Deny mode you get full protection from such attacks.

For more detail, see Instart Script Test Drive Guide.

Step 3: Trial with real data

Now that you've seen how third-party code in the browser can access what a user enters into a form, we can show you how Instart Script Control can protect against this for real world traffic.

To do so, all you need to do is add the following JavaScript code to one or more test pages (ones that contain a form) on your site, one for each domain:

<script type="text/javascript" 
onload="this.parentNode&&this.parentNode.removeChild(this)" 
data-config='{"SyncConfig": true, "Customer": "instartdemo" }' 
src="https://www.nanovisor.io/i10c@p1/nanovisor/latest/auto/instart.js?i10c.opts=tac&i10c.nv.host="www.instartdemo.com"></script>

where you would replace the value of Customer in the JSON object with your customer name and the value of the i10c.nv.host query string parameter with the domain you are using to test (both indicated in bold above).

On the form on the test page, identify the DOM selector(s) for one or more of the form's fields. You use this information when you create a form field protection rule to prevent the third-party code from being able to access the values entered in these fields.

(For details on how to determine DOM selectors for form fields, see the Instart Script Control Test Drive Guide.)

After saving the rule, it takes about 10-15 minutes to be validated and deployed across our global network. One way to determine that the rule is working is to run the Test Drive extension again and enter some text in one of the fields. You should now see the extension can no longer access this data.

You will also be able to see events in the Analytics screen after about 5-10 minutes have passed for any scripts that might trigger the rule.

For more detail, see Instart Script Test Drive Guide.